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ABSTRACT 



This paper demonstrates a nuclear reactor safety monitor incor- 
porating hard-wired, redundant, digital program modules that control 
independent, redundant, digital monitor modules. One monitor module 
is used for each parameter significant to reactor safety. The charac- 
teristics of a proposed LIQUID METAL FAST BREEDER REACTOR 
are used as the reference performance criteria. The established cri- 
terion that a single failure must not prevent reactor shut down is used 
as the failure mode criterion. Within the program module, a pro- 
grammable read-only memory (PROM) is used for sequence control of 
another PROM containing variable length subroutines. The subroutine 
PROM outputs are used as photo -isolated logic outputs for sequence 
control of the various monitor modules. The program module action 
is modelled on a digital computer. A four-input digital monitor module 
is developed. This module provides a shut down signal if three of the 
inputs exceed the parameter limit. 
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Table I. TABLE OF SYMBOLS 



An Event or Result 



A+B+C 



A* B* C 



<3 

a 



A 

B 

C 

A 

B 

C 



Logical "OR” - Output occurs if 
any of the inputs occur. 



Logical "AND" - Output occurs only 
if all the inputs occur. 



A*B 




A 

B 





Logical "NOT" - Output of 
function is inverted. 



Basic Fault-The fault requires no 
further analysis. 



Fault Basic to a Given. Tree-The 
fault can be caused by even more 
basic failures. 



Transfer In-Preceeding events 
occur elsewhere on the fault tree. 



A 



Transfer Out-The result of this 
event also effects another section 
of the fault tree. 
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I. INTRODUCTION 



The rapidly increasing electrical power demands in the United 
States and the resultant decreasing availability of natural fuels has 
caused a great demand by utility companies for nuclear powered gen- 
erating stations of any kind. This, in turn, has placed heavy demands 
on the nation's ability to process from natural ores the amounts of 
fissile (i.e., easily split by neutron interaction into by-products and 
excess high-energy neutrons) uranium and plutonium required to fuel 
the reactors. These are mostly light-water moderated, thermal 
reactors which operate at moderate temperatures (500-700 F> and use 
saturated steam to power the electric generators. Much larger but 
presently little used supplies of uranium, thorium, and plutonium are 
not easily fissionable in their natural state but do easily absorb neu- 
trons and become fissile materials suitable for reactor fuels. These 
materials are referred to as "fertile. " 

During the 1960's a development program was instituted by the 
United States Atomic Energy Commission (AEC) to develop sodium 
cooled fast breeder reactor plants intended to convert fertile fuel into 
fissile fuel (breeding) in addition to supplying electricity. Since cool- 
ant temperatures are higher in this process, more efficient conversion 
of thermal energy into electrical energy is feasible also. The poten- 
tial result is enhanced availability of nuclear fuel, both by breeding 
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and by increased plant efficiency. (See Appendix A, the introduction 
to the LIQUID METAL FAST BREEDER REACTOR (LMFBR) DEVEL- 
OPMENT PLAN, v. 1. [Ref. 1]). 

The LMFBR Development Plan [Ref. 1] presents the state-of- 
the-art advances required by the much harsher environment character- 
ized by higher neutron and gamma fluxes, higher temperatures, and 
liquid metal coolant. These documents indicate that current levels of 
technology are unsatisfactory in almost all areas and that concurrent 
research is being pursued. References 6-9 indicate some of this 
research with respect to reactor instrumentation. Reference 6 dis- 
cussus the test facilities required and efforts to upgrade test environ- 
ments from 700 F to 1400 F, 10 a nv thermal-neutron flux to 10 nv 
fast -neutron flux, and 10^ R/h to 10^ R/h gamma flux. Research 
efforts in sensor development for temperature (thermocouples), 
neutron flux, flow, pressure, level, and strain are also discussed. 
Reference 7 discussus a possible microwave temperature sensor con- 
figuration. Reference 8 reports work on in-core, self-powered, fast- 
neutron flux monitors. Rpference 9 discussus the problems of radia- 
tion induced noise on electrical signal cables. The varying approaches 
taken by the researchers indicate that optimum instrumentation tech- 
niques are yet to be proven. 

The exact configuration of the reactors and controls, and the 
methods of detecting, transmitting, and utilizing various parameters 
are undetermined. This situation forces the use of assumptions of 
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most likely future conditions. Published feasibility studies have pro- 
vided insight into probable reactor designs and those parameters 



required to be measured and used for safety considerations. Refer- 
ence 10, a good example of such a study based on the estimated state 
of the technology in 1980, proposes a 3-loop, double heat exchange,. 
1150 F, 2415 Mwt, 43% efficient plant, with a fuel doubling time of 
14. 3 years, and a core lifetime of 605 full power days. Direct digital 
control is proposed for many operations in the plant, including safety 
system backup. Figure one illustrates the referenced concept of the 
plant control system, primarily analog. The importance of the figure 
to this work is its use as an illustration of typical relationships among 
control parameters. Figure two shows the referenced plant's gross 
relationship between the control systems of figure one and the digital 
computer. The analog safety monitor system operates as part of the 
"Nuclear Safety and Control System" to provide safety actions if para- 
meter limits are exceeded. An important point not clear in the figure 
is the required independence of the nuclear safety and nuclear control 
systems. Functions which initiate safety shutdown are: 

1. high outlet temperature 

2. high start up rate 

3. high power level 

4. low flow rate 

5. low coolant level 

6. high neutron flux /flow rate 

7. turbine generator trip 
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8 . 



loss of feedwater 



9. loss of heat sink 

10. loss of vital instrument power 

11. manual trip 

Reference 10 is not a final study and does not develop the hardware to 
accomplish the objectives. 

The safety criteria discussed in the various publications are all 
based on the concept of preventing a power excursion or other event that 
could damage the core and release activity to the coolant or atmosphere. 
From this concept, several criteria pertinent to this investigation have 
been developed: 

1. The nuclear power plant protection system shall, with 
precision and reliability, automatically initiate appropriate 
protective action whenever a plant condition monitored by 
the system reaches a pre-set level. 

2. Components and modules shall be of a quality that is con- 
sistent with minimum maintenance requirements and low 
failure rates. 

3. Channels that provide signals for the same plant protective 
function shall be independent and physically separated. 

4. Any single equipment failure within the protective system 
shall not prevent proper protection system action when 
required (single failure criterion). 

These criteria have resulted in multiple safety channels, multiple 

power supplies, and required periodic testing of safety channels. 

References 11-15 discuss many of these concepts in detail. • In any 

case, each individual reactor installation must be reviewed and 

approved by the AEC prior to operation. 
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Presently, analog safety systems provide the proper isolation 
and redundancy for a safety system but suffer from additive errors 
due to the series arrangement of components; widening the margin 
between an allowed indicated condition and allowed actual condition. 
Since multiple adjustments are provided in analog channels, they 
must be regularly checked to ensure that they are still within allowed 
tolerances. A digital form of data transmission appears to be capable 
of providing channel separation, and yet can both reduce the number of 
error introducing components in the safety circuit and be made largely 
self-checking. 
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Figure 1. LMFBR CONTROL SYSTEM [Ref. 10] 
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Figure 2. LMFBR SYSTEMS AND INSTRUMENTATION 
COMMUNICATIONS CHANNELS [Ref. 10] 




II. OBJECTIVES 



Consideration of current practice in reactor control design, 
digital techniques, and safety criteria, coupled with anticipated 
requirements [Refs. 1-5, 10, Appendix B], led to the conclusion that 
some digital technique should provide a reliable and acceptable safety 
monitoring system for the LMFBR. Figure 3 illustrates the overall 
approach taken by this investigator in developing such a safety monitor 
system. Two basic concepts were incorporated. One concept was to 
have each safety parameter channel and its monitor module indepen- 
dent of the others and to have each channel comply with the conditions 
required in Sec. II B, ASSUMPTIONS, and Sec. II C, CRITERIA FOR 
IDEAL PERFORMANCE, of this report. The other concept was to 
provide a redundant and independent program module that would con- 
trol the operation of the various monitor modules yet maintain their 
individual independence. 




Safety Control Control Safety 

Action Inputs Inputs Action 

Outputs Outputs 



Figure 3. OVERALL APPROACH TO A DIGITAL SAFETY MONITOR 
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A. 



OBJECTIVES OF THIS INVESTIGATION 



The objective of this investigation was to provide the following 
within the framework of LMFBR operation: 

1. Compare the characteristics of sequential-step stored- 
program design with sequential-step hard-wired design 
of a monitor within the framework of speed, program 
hardness, and separability of channels. 

2. Design a solid-state program module that would replace 
a stored program, maximize parallel-parameter opera- 
tion of the safety monitor, and provide for field program 
changes. 

3. Determine how closely this solid-state program module 
satisfied the ideal monitor criteria. 

4. Demonstrate, by designing a digital monitor module, a 
digital method of monitoring one safety parameter. Investi- 
gate the extent to which safety channel separability, self 
test, and abnormal operation determination could be main- 
tained in this one parameter channel. 



B. ASSUMPTIONS 

Since the LMFBR was undeveloped, assumptions were required 
to provide a framework for investigation: 

1. The LMFBR configuration of Ref. 10 was to be used. 
Pertinent details of the configuration are listed in the 
introduction. 

2. On-line digital computer control would be used. 

References 16-23 support this contention and discuss 
sampled-data techniques, optimal control, and several 
presently-installed digital control systems. 

3. The control computer, though separate from the safety- 
system, would have the safety limits programmed. 

4. The environmental and performance requirements of 
Appendix B must be met. 
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5. A separate monitor unit for safety parameters would be 
used in addition to the on-line control computer to provide 
two independent mechanisms for actuating the safety shut 
down system. 



C. CRITERIA FOR IDEAL PERFORMANCE 

Ideally this monitor should satisfy the following criteria: 

1. Operate with sufficient speed to protect the LMFBR. 
Reference 10 mentions a minimum delay of 100 msec, 
with 200 msec, more probable. 

2. Maintain reactor protection if control computer fails. 

3. Monitor failure should not prevent the control computer 
from initiating reactor shutdown. 

4. Be compatible with control computer operation. 

5. Have a program that: 

a. Is hard under all operational conditions. 

b. Can be changed without disturbance of wiring. 

6. Be more reliable than the control computer. 

7. Detect its own abnormal operation. 

8. Operate without large storage requirements or need for 
external devices such as tapes. 

9. Provide a means to change safety limits easily for plant 
maintenance. 

10. Be modularized to minimize downtime. 
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III. COMPARISON OF SMALL SEQUENTIAL-STEP 
STORED- PROGRAM AND HARD-WIRED COMPUTERS 



The general public acceptance of minicomputers for dedicated 
control and monitoring applications prompted an investigation of the 
utility of these machines with respect to LMFBR safety monitor imple- 
mentation. The literature describing these machines emphasizes 
reliability, low cost, expandable configuration, and custom-tailored 
functions. All of these assets would be pertinent to LMFBR utiliza- 
tion provided that speed, channel separation, and single failure criteria 
were met. 

A. IMPORTANT CHARACTERISTICS OF SMALL SEQUENTIAL 

STEP STORED-PROGRAM COMPUTER 

A small sequential-step stored-program computer (minicomputer) 
stores its program and data in core memory and executes the program 
step by step at the register transfer level. Though some may use a 
read-only memory to control the arithmetic unit and registers, allow- 
ing several arithmetic operations or register transfers (some simul- 
taneously) per core memory cycle time, the program steps are executed 
sequentially at the operation level; i.e., multiply, divide. The storing 
of the basic operations in a read-only memory is sometimes called 
"firm-wired. " Typical cycle time is 1-2 microseconds for each simple 
operation (one read-write time). 
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The most important characteristic features that restrict the 
utility of these machines for the nuclear monitoring application are: 

1. Storage in the computer memory unit of both program 
sequence and data. Inherently, the program and the 
data from the various safety channels in a reactor 
safety monitor environment are brought together, 
violating the philosophy of monitor channel separation. 

2. Common busses for data transfer. Again, one failure 
can effect both program and data if the bus is associated 
with the memory unit. One failure can effect data from 
all safety channels if the failure is associated with a data 
bus. 

3. Sequential data handling. In a small machine, no pro- 
vision is made for parallel handling of data from more 
than one source at a time. 

4. Requirements for external equipment to input the program 
if it fails or if safety limits require changing. 

5. Checkout programs cannot be independently run in parallel 
with the main program. 



B. IMPORTANT CHARACTERISTICS OF SMALL SEQUENTIAL- 
STEP HARD-WIRED COMPUTERS 

A small sequential-step hard-wired computer maintains its 
main program in its wiring or read-only memory thus eliminating a 
stored program. 

Important characteristic features: 

1. Can operate at faster speeds because a read-write cycle 
into core memory is not required to access the program. 

2. Retains sequential steps for the main program. 

3. Simple machines tend to retain common data busses and 
a single arithmetic unit. 
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4. Expansion to provide parallel data handling appears to be 
easier to accomplish than with a primarily software machine. 

5. The wiring or hard memory must be changed to change the 
program sequence. 

6. Application of the single failure criterion requires multiple 
har dware. 

7. Test programs either result in interbus connections, 
destroying channel separation, or must be externally applied. 

C. COMPARISON AND CONCLUSION 

Comparison of the characteristics of stored-program design with 
hard-wired design led to the conclusion that a small stored-program 
device was unsatisfactory and to the search for a device that would 
utilize the desirable features, such as higher speed and a hard program, 
of a hard-wired computer, improve the ability to provide for simultane- 
ous parallel operation of independent steps, incorporate self-test while 
providing data channel isolation, and reduce the amount of hardware 
needed to provide redundancy. The result was the Program Module 
described in this paper. 
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IV. PROGRAM MODULE DESIGN 



A. GENERAL CONSIDERATIONS 

The first tasks encountered in the design of the program module 
were the selection of suitable memory and micrologic systems. Par- 
ticular emphasis was placed on availability and variety of packaged 
functions, compatability between memory and micrologic, speed of 
operation, temperature range allowed, and resistance to propagation 
of failures. A field-programmable, read-only memory (PROM) con- 
cept was selected because it offered a hard, but easily changeable, 
program in an integrated form. Transistor -transistor logic (TTL) 
medium scale integration (MSI) logic gates and setable counters 
(Registers) were selected because they appeared to provide a wider 
range of packaged complex functions and higher speed than the metal- 
oxide- semiconductor (MOS) type logic. Other attributes of TTL are: 
a wide range of allowed operating temperature (-55C to +125C), input 
diode clamping to reduce line-noise reflections, and a wide variety of 
speed and power specifications. 

The program module for the monitor [Fig. 4] was based on the 
concept that some parameters must be monitored at shorter periods 
than others, such that the longer monitor periods could be made some 
multiple of the shortest one. This allowed a simple synchronization 
scheme with longer-period events inserted at the appropriate time. 
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Appendix B supports this concept. It was possible then to make each 
monitor event or test sequence a subroutine that could be called at the 
proper time. Two clock frequences were required; one at the sub- 
routine operating frequency and one to synchronize the shortest moni- 
tor period. The output of the subroutine PROM consisted of dedicated 
bits, confining the effect of a bit failure compared to the effect if 
decoders were to be used in conjunction with the PROM output. The 
dedicated bit concept allows the system designer a great deal of lati- 
tude in the use of parallel and concurrent monitor events and in the 
use of feedback within the control module to control subroutines of 
varying lengths. 

The problem of electrical and physical isolation was solved by 
application of photo -isolators to the subroutine PROM outputs. A 
photo-isolator is a packaged unit consisting of a light- emitting diode, 
a photo-sensitive transistor or reverse-biased diode, and a clear 
insulator between them. The only connection between the input and 
output is light. 

The output of the diode -transistor type photo-isolator is com- 
patable with TTL inputs but the signal rise and fall times are much too 
long (5-20 microseconds) to be useful in this application. The output of 
the diode-diode type photo-isolator is not directly compatable with TTL 
inputs. A MOS input-TTL output buffer has been developed that oper- 
ates at TTL voltage and reduces propagation delay to the .05-. 1 micro- 
second range. This device allows the use of the diode-diode photo- 
isolator configuration. 
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B. 



DESCRIPTION OF A PROGRAM MODULE [Fig. 4] 
1. Subroutine PROM (RS) 



The subroutine PROM (RS) is a 1024 word x (N+2) bit PROM 
where N is based on overall monitor requirements. With the excep- 
tion of the two feedback control bits, the output of RS is arbitrary and 
each bit is dedicated to some function to be performed. Feedback bus 
RSA holds a logical "1" only when that word is the last word of a sub- 
routine, and feedback bus RSB holds a logical "1" only when that word 
is the first word of a subroutine. A subroutine may be of arbitrary 
length but must be at least two words long. Propagation times in the 
feedback paths also require that, at the 10 MHZ clock frequency, each, 
subroutine be at least two words long. The longest propagation time 
is in the PROM itself and is limiting; considering that faster counters 
and logic gates exist. 

2. Subroutine Address Register (SAR) 

The subroutine address register is a ten bit binary counter. 
During a subroutine the counter counts up one count each clock pulse; 
incrementing the address of RS by one. At the end of a subroutine, 
logic into the CET and PE (active low, parallel enable) inputs causes 
incrementing to stop and, when conditions pre-determined by logic on 
bus RPB are met, the first address in the next subroutine to be entered 
by parallel input from the program PROM-RP. Since only eight parallel 
input lines are available in the basic configuration, the number of pre- 
set addresses is only one fourth of the total number of addresses in 
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SAR and RS. Two hundred fifty six separate subroutines seem to be 
adequate, considering that PROM dedicated bits may be used regard- 
less of the subroutine involved, but, if more subroutines were 
required, the PROMs and registers could be expanded. 

3. Program PROM (RP) 

The sequence of subroutines is stored in PROM-RP (256 
words by 12 bits) and sequentially executed. An eight bit bus, RPC, 
contains the start address of the next subroutine, a three bit bus, 

RPA, contains the number of times the next subroutine is to be 
repeated prior to going on, and a one bit bus, RPB, contains a logical 
"0" if the start of the next subroutine must be synchronized with the 
sync input. Since the main program and the subroutines are contained 
in different PROMs, they can be changed independently. 

4. Program Count Register (PCR) 

The program count register [Fig. 6] is a four bit binary up/ 
down counter that counts down, being clocked by bits on bus RSB; 
therefore, one count occurs per subroutine. When 0000 is reached 
the terminal-count-low or borrow gate enables the program address 
register PAR. At the start of the next subroutine, PAR is incremen- 
ted and PCR goes to 1111 (binary). After the first step of the sub- 
routine, PCR receives parallel inputs for the number of repeats of 
the next subroutine. 
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5. Program Address Register (PAR) 



The program address register is an eight bit binary counter 
similar to SAR. It is enabled by the PCR terminal-count-low gate and 
uses the RSB output as a clock. 

6. Enable Logic for the Subroutine Address Register (SAR) 

(PE) = (RSA • (RPB + SYNC)) - i.e., parallel entry is 

permitted only at the end of a subroutine and, if required by RPB = "0, " 
at a sync pulse. 

(CET) = (SYNC + RPB + RSA) - i.e., both counting up and 
parallel entry are inhibited at the end of a subroutine unless conditions 
for PE are met. These gates are constructed as shown in Fig. 5 and 
consist of one standard MSI chip each. 

7. Reset Circuitry 

The reset circuitry consists of two elements. Upon initial 
turn-on or recovery of voltage, one element (low-voltage reset) resets 
the PAR, resets the SAR, and enables the parallel input into the PCR. 
Upon encountering a 111 (binary) on bus RPA (end of programmed 
portion of program PROM), the second element (end-of-program 
reset) resets the PAR only. The low-voltage reset may consist of a 
delay device to hold the resets and parallel enable low until after Vcc 
has risen. The end-of-program reset consists of a simple three-input 
NAND gate. 
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C. FAULT TREE OF A PROGRAM MODULE 

Table I shows the symbols used in constructing all fault trees 
in this paper. Figure 7 is the fault tree of the control module. 

1. Power Supply Failures 

Power supply failures were not included in the control 
module fault tree because a loss of voltage would cause the control 
module to reset and a catastrophically high voltage would cause burn- 
out of the light-emitting diodes in the photo -isolators, having the 
same effect as a reset. Provision is made in the digital monitor 
module construction for voting inputs from three parallel program 
modules; thus preventing a single failure of a program module from 
inhibiting monitor operation. 

2. Analysis with Respect to the Single Failure Criterion 
Review of the fault tree of the program module revealed that, 

while the module contains several feedback paths, the effect of any 
fault is to prevent proper output; hence a serial fault tree and implied 
serial consideration of reliability. The serial nature of faults dictates 
redundant program modules to satisfy the single failure criterion 
[Ref. 14] which states that no single failure may prevent reactor shut 
down. 



D. TEST REQUIREMENTS FOR THE PROGRAM MODULE 

Self-test circuitry in the program module cannot test the connect- 
ing wiring between the program module and monitor modules and per- 
forms little function not tested elsewhere. It also tends to reduce both 
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the dedication of PROM-RS dedicated bits and the reliability, due to 
increased complexity, of feedback paths. It was decided, based on 
these deleterious conditions, coupled with the simple implementation 
of redundant program modules, to provide for testing at the monitor 
module level. 

E. COMPUTER MODEL OF THE PROGRAM MODULE 

Operation of the program module was tested using a digital 
computer model [Appendix C]. The functional requirements for the 
reset circuitry were developed using this model. The model verified 
that the program module configuration of Fig. 4 operated in the 
desired manner. 
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Figure 4. PROGRAM MODULE BLOCK DIAGRAM 
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Figure 7. PROGRAM MODULE FAULT TREE 




V. DIGITAL MONITOR MODULE DESIGN 



This section describes the design of a Digital Monitor Module 
whose function is, under the control of the program module, to com- 
pare four independent digital signals representing a safety parameter 
with a digital representation of the parameter limit and provide two 
independent shut down signals if three of the four incoming signals 
exceed the parameter limit. The module test facilities provide for 
functional test of the module and, coupled with other monitor modules, 
the program modules. 

A. GENERAL CONSIDERATIONS 

In a four-parameter channel, the detectors are usually grouped 
into tv/o sub-groups for power source and signal channel considerations 
as shown in Figure 8. Each sub-group is powered from at least two 
independent sources determined by the overall plant design. Detectors 
A and C would be associated with power bus I and signal channel I, and 
detectors B and D would be associated with power bus II and a signal 
channel II. Reference 14 requires that Channel I and associated cir- 
cuitry must be physically and electrically isolated from channel IT and 
its circuitry, yet at some point the signals must be combined to provide 
two independent safety shut down (SCRAM) channels, each representing 
a combination of data from all four sources. The inability to provide 
electrical isolation using integrated circuits severely limits the use of 
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such circuits in the logic design of such a channel. The module design 
effectively copes with that limitation. 

The portion of interest of Figure 8 is inside the dotted lines,, 
and consists of the comparater modules and scram logic modules- 
These modules, while independent, are controlled by redundant pro- 
gram modules. 

B. SPECIFIC DESIGN CHARACTERISTICS EMPLOYED 

1. Comply with the philosophy of separation of scram channels.. 

2. Incorporate integrated circuits to the extent that the failure 
of one IC does not interrupt both safety signals in a signal 
channel. 

3. Indicate an unsafe reactor condition upon loss of power to 
the module or component that processes a signal. 

4. Prevent the propagation of device failure throughout the 
monitor. 

5. Be amenable to some periodic test to detect a device 
failure indicating a safe reactor condition. 

6. Provide for adjustment of parameter limit setpoints. 

C. DESIGN CHOICES 

The comparator module [Fig. 9] shows the result of several 
comparisons of techniques. One comparison was among techniques 
for presenting the parameter limit. Three techniques were considered. 
The first technique was to enter the parameter into a ROM that had an 
output of "0" or "1" depending on whether the parameter limit had 
been exceeded. The second was to store the parameter limit in a core 
memory and compare it with the parameter measured. The third was 
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to enter the parameter limit in a local thumbwheel register and have 
it continuously available to the comparator. This last alternative was 
chosen as the most practical because the limit was easily changed,, it 
complied with channel separation, and required no data transfers from 
a common core memory. 

Another choice concerned at what point to combine the signal 
from the four detectors; i.e. , the choice of using one of the following 
as signals into the scram logic modules: 

1. A, B, C, D (INDEPENDENTLY) 

2. A-C, A+C, B-D, B+D 

Choice 2 simplified the logic in the scram logic module and reduced 
the number of ICs there, possibly improving module mean -time -to - 
failure (MTTF); however, the added circuitry in the comparator 
modules negated that MTTF improvement with respect to the overall 
channel. A second flaw in choice 2 was the transmission of comhined 
signals to the scram logic modules. An IC failure in the comparator 
module could interrupt some combination of both signals from a signal 
channel; therefore choice 2 was rejected. 

D. DESCRIPTION OF A COMPARATOR MODULE (COM) 

As shown in Figure 9 the complement of the parameter reference 
from a thumbwheel register is directly compared with the digital para- 
meter signal complement. If the signal is smaller, its complement is: 
larger and a logical "l" is gated to a TTL buffer. If the signal input 
is interrupted or supply voltage to the comparator is lost, an unsafe 
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condition (logical "0") is gated. The buffer has the capability of sink- 
ing larger light- emitting diode turn-on surge currents than standard 
TTL devices can. This reduces light turn-on time and increases 
response speed of the photo -isolator. Light turn-off time does not 
appear to be a function of a surge current. The buffer output drives 
two photo-isolators whose light-emitting diodes conduct when a safe 
condition is indicated. The photo-isolators provide independent, 
electrically isolated, single-parameter signals to each of the scram 
logic modules. This is the feature that enables digital IC devices to 
be used in a monitor module. 

E. PROGRAM INPUTS TO THE COMPARATOR MODULE 

The study of comparator module failure modes led to the reali- 
zation that not only must the module conform to the single failure 
criterion, so must the control inputs from the program module since 
one program module provides inputs to both channels on a comparator 
module. 

Consideration of some technique of comparing program module 
parameters to determine which of multiple inputs to use as controls 
for the comparator module led to the conclusion that comparison be- 
tween program module parameters at the program module level 
destroyed electrical independence and that the most fruitful concept 
was to employ two out of three majority voting logic at the comparator 
control input level. Using this technique, a single failure of a control 
module or of a control line to a comparator module would not inhibit 
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operation. The use of photo-isolated program module outputs to the 
comparator module necessitates the use of a MOS-TTL buffer as the 
voting circuit. Since a failure in the three control lines to one section 
of a comparator module will not feed back to the program modules and 
inhibit their operation, those lines can be considered to belong to that 
comparator module section. A common mode failure of the control 
lines can be considered to be the same as a failure of that section of 
the comparator module. 

F. DESCRIPTION OF A SCRAM LOGIC MODULE (SLM) 

The Scram Logic Module shown in Figure 10 combines isolated 
logic signals to give the function: SCRAM = ABC + ABD + BCD + ACD. 
Catastrophic failure of one SLM cannot be propagated to the other 
modules of the digital monitor. Diode isolation prevents propagation 
within the SLM of a short between two inputs of the AND-OR-NOT 
gate; thus enhancing the fault tree analysis and minimizing the loss of 
function. A catastrophic failure to the entire module may cause loss 
of that scram channel. If one signal input channel fails in a no- scram 
condition, all other channels must operate; therefore, some periodic 
test for failure in a no-scram condition is required. 

G. FAULT TREE OF DIGITAL MONITOR MODULE 

Figure 11a is the fault tree of the digital monitor module from 
final output to the driver inputs to the photo -isolator stages on the COM. 
Figure lib is the fault tree for the COM prior to the photo-isolator 
inputs. 
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1. Power Supply Failure 



Power supply failures were not accounted for in this analysis 
because a voltage loss to either the COM or SLM would insert a signal 
tending to cause reactor shut down. The effects of a catastrophically 
high voltage were uncertain; however, one event that would occur is 
photo -isolator light- emitting diode burn-out. The cessation of emis- 
sion would transmit a signal tending to cause reactor shut down also. 

. 2. Wiring Faults 

The term "wiring fault" as used in the diagram refers to 
the worst-case scram -inhibiting casualty to the particular connecting 
wires or printed circuit; i. e. , the only wiring fault applicable to the 
output wiring of the SLM would be a short to Vcc. Opens, grounds, 
or very high voltage would result in a shut down signal. 

3. Compliance with the Single Failure Criterion 

Review of the fault tree for the monitor module itself indicated 
that no single failure within the module could prevent reactor shut down. 
The minimum number of failures required was two independent ones, 
one of the output portion of each scram logic module or of each of two 
comparator circuits. The use of buffers and diode isolation has mini- 
mized propagation of the effects of an IC failure. Reference 25, p.4-7 
states that the testing program for the Advanced Multi -Function Array 
Radar (AMFAR) revealed that failure of TTL integrated circuits, such 
as proposed here, do not seem to propagate. In that case, seven IC 
chip failures not corrected by design occurred in 11.2 million operating 
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hours. No failures propagated to other circuits either on the same 
chip or connected to the failed circuit. 

H. TEST REQUIREMENTS FOR THE MONITOR MODULE 

In-service test procedures must identify circuit failures and 
localize their location at least to the module concerned. The follow- 
ing procedures were adequate to locate defective modules: 

1. Turning off the voltage to one program module and inserting 
unsafe conditions into the comparators, one at a time, functionally 
tests both remaining program modules, the comparator module, and 
the interconnecting wiring to the scram logic module. 

2. Inserting unsafe conditions into two comparators will 
functionally test the scram logic modules. 

While these tests may be automatic or manual, it is considered 
that the inherent redundancy and high mean-time -to-failure preclude 
the need for automatic testing. 
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VI. RELIABILITY CONSIDERATIONS 



While a reactor safety channel may be considered a sub-set of 
a general control system, the emphasis of performance and reliability 
considerations in a reactor safety channel is differentiated from that 
in a reactor control system because of the differences in method of 
determination of parameter state and in the desired state after control 
action is performed. 

A. RELIABILITY CONSIDERATIONS IN A CONTROL SYSTEM 

In a reactor control system, the desired new state and best resul- 
tant action to get there are dependent upon the present reactor state and 
input demands as well as determination of whether or not the reactor 
state is safe. One example is the situation where a parameter is 
sensed by four detectors and one has failed such that an unsafe condition 
is indicated. The control system must reliably estimate actual reactor 
state based on those four signals, along with many others, and may well 
decide that the failed signal will be discarded for control purposes. If 
the spread in values of the four signals is great enough, the control 
system may not be able to decide which signals are correct and pro- 
vision must be made for this possibility. Reference 24 presents the 
same problem in an aircraft control system. In the aircraft though, 
when system state is unclear, pilot override is provided and no action 
or neutral control surface position seems to be considered safer than 
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some positive action because the operating conditions of the aircraft 
are too varied to incorporate in the control model. Reliability con- 
siderations in a control system are not considered in this paper. 

B. RELIABILITY CONSIDERATIONS IN A SAFETY CHANNEL 

The action of a nuclear safety channel is to place the reactor 
in a previously determined safe state if a parameter exceeds a pre- 
determined limit. The limit is calculated allowing for anticipated 
channel errors. 

Primary emphasis in the design of the safety channel is placed 
on the concept that a single failure will not prevent placing the reactor 
in a known safe state. The safe state, being pre-determined, usually 
means shut down and will be so considered here. From a safety 
standpoint, though perhaps inconvenient, it is acceptable for a single 
signal or component failure to cause a shut down even though actual 
reactor conditions are satisfactory. A safe condition in this context 
is usually inconvenient to the operator. In order to provide assurance 
that a single failure will not prevent shut down, multiple signal and 
safety shutdown channels are used. In order to provide continuity of 
operation, voting logic such as one out of two, two out of three or 
four, or three out of four is used. Design effort is used to cause 
most signal or device failures to be self-indicating. Periodic tests 
are used to detect failures that are not self-indicating. 

Because the safe reactor state is pre-determined and the safety 
system is not tasked with the responsibility of determining the exact 
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state of a parameter, reliability analysis of a safety channel may be 
reduced to two separate analyses: 

(1) probable lifetime of components and connections until one 
failure occurs (MTBF). This time must exceed the test 
interval. 

(2) fault tree analysis to show that any one failure cannot prevent 
safety shut down. 

For the MTBF of a safety channel, consideration of the series 
combination of all components and time between single failures, rather 
than failures that would inhibit shut down, is the most conservative 
approach. If this arrangement can be shown to be acceptable, then 
any series /parallel redundant arrangement using the same number of 
components and connections would be acceptable also. 

A MTBF of any failure of 3000 hours or about three months 
continuous operation of an entire monitor channel was selected as an 
arbitrary minimum based, not on state-of-the-art, but on presuming a 
monthly test sequence to assure that proper attention is given to the 
monitor. 

Reliability data for circuits of similar complexity and high 
quality materials to those incorporated in this design [Ref. 25] gave 
an in-use estimated microcircuit failure rate of no more than .192x10” 
failures/hour. Actual operating results were 7/ll.2xl0 + ®= .625x10”® 
failures /hour . 

To find the serial failure rate of a module the component failure 
rates are added. The failure rate per mating of plugs was not included 
since unplugging modules was not considered to be a normal operating 
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procedure. The results of these calculations, as given in Table EL„ 
indicate that a 3000 hour test interval is reasonable and that, since 
the program module has no redundant parts, yet has a much higher 
failure rate than the monitor module, a redundant program module 
should be provided for an operating installation. 
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vn. CONCLUSIONS 



As a result of this investigation, several conclusions were 
reached. Some were basic to the initial goal and some became evident 
as techniques for implementing the circuits were considered. 

A. The design indicates that a ROM circuit using isolated out- 
puts--such as the program module--can perform the program functions 
of a hard-wired sequential controller with an apparent reduction in size 
and complexity. 

B. The meeting of isolation requirements shows that the reactor 
safety system single failure criterion can be met using TTL ICs and 
photo-isolators in the safety circuit. 

C. External performance monitors tend to reduce independence 
of redundant circuits, such as the program module, and voting logic 
downstream of the photo -isolator s performs the same task while main- 
taining redundant module independence. 

D. Photo-isolation should be accomplished at signal branch 
points and should form the upstream terminus of the branch path. 

E. Automatic self-test is not always required if enough redun- 
dancy is provided. 
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APPENDIX A 



INTRODUCTION TO THE LIQUID METAL FAST 
BREEDER REACTOR OVERALL PROGRAM PLAN [Ref. 1] 

The following remarks are quoted from Ref. 1. 

'The Liquid Metal Fast Breeder Reactor (LMFBR) Program has 
been assigned the highest priority in the Atomic Energy Commission's 
(AEC) broader program for the development of civilian nuclear power. 
The primary objective of the civilian power reactor development pro- 
gram in the United States is widespread use of nuclear energy for the 
production of heat and electricity with full exploitation of the energy 
available in our resources of uranium and thorium. The AEC's objec- 
tive also includes fostering the development of a self-sufficient and 
competitive nuclear industry. The need for a power reactor that can 
fully and economically exploit the energy reserves contained in uranium 
and thorium was recognized in the 'Civilian Nuclear Power--A Report 
to the President- -1962' which stated: 

The overall objective of the Commission's nuclear power 
program should be to foster and support the growing use of 
nuclear energy, and importantly to guide the program in 
such directions as to make possible the exploitation of the 
vast energy resources latent in the fertile materials uranium- 
238 and thorium. 

The breeder is needed because it serves the above objective by: 
providing the most efficient means of exploiting the energy available 
in uranium; minimizing the quantity of uranium consumed per unit of 
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electricity generated; providing potential for low fuel costs; extending 
ore reserves manyfold by increasing the utilization of uranium 
recovered from ore; and providing a more effective use for plutonium 
produced in light-water reactor plants. The 1962 Report to the Presi- 
dent includes a detailed discussion of the place to be occupied by the 
breeder in the overall program. 

The 1967 Supplement to the 1962 Report to the President estab- 
lished the following specific objectives: (1) 'The development of 

improved converter and later breeder reactors to convert the fertile 
isotopes to fissionable ones, thus making available the full potential 
of the nuclear fuels;' and (2) 'The early establishment of a self- 
sufficient and growing nuclear power industry that will assume an 
increasing share of the development costs. ' 

In the breeder -reactor concept, excess neutrons produced in the 
process of generating nuclear power by fission are used to produce 
more fissionable material than is consumed. The fissionable isotopes 
U-233, U-235, Pu-239, and Pu-241 all produce more neutrons than 
are needed to maintain a nuclear chain reaction in power reactors. 
Reactor designs for large central- station power plants are arranged 
so that these excess neutrons are absorbed either in U-238, leading 
to the production of Pu-239, or in thorium, leading to the production 
of U-233. Of the four .fissionable isotopes, only U-233, Pu-239, and 
Pu-241 produce sufficient neutrons to allow the possibility, in practical 
power reactors, of producing more fissionable material than is 
consumed. 
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The plutonium isotopes produce the most excess neutrons when 
used as fuel in a fast-neutron reactor, and cycles using U-238 as a 
fertile material and mixtures of Pu-239 and Pu-241 as a fissile material 
form the basis of the LMFBR Program. The isotope Pu-241 is formed 
from Pu-239 through an intermediate isotope, Pu-240, which plays the 
role of a subsidiary fertile material. The thorium-U-233 cycle is the 
basis for breeding by usingthermal-neutr on reactors, but this cycle has 
received relatively less emphasis in fast breeder reactor development 
because the potential breeding gain is less than for the plutonium- 
uranium cycle. 

The fast breeders of major interest are divided into three cate- 
gories: sodium-cooled, gas-cooled, and steam-cooled. The sodium 
cooled fast breeder has been established as the priority program on 
the basis of potential economy, probability of successful development 
interest by reactor manufacturers, and technological experience gained 
in the United States and abroad. Sodium has a combination of advanta- 
geous characteristics: 

(1) Good nuclear properties, helpful in attaining high breeding 

ratios 

(2) A high boiling point, allowing high-temperature operation 
at low pressure- -with resultant good plant thermal efficiency without 
the necessity for thick-walled reactor vessels 

(3) Excellent heat transfer, making possible achievement of 
high specific power and hence low doubling time and fuel cycle costs 



53 



(4) A large heat capacity, allowing time for corrective action in 
the event of a power transient or loss of coolant flow 

(5) Low pumping power and relative lack of corrosion in the 
absence of air and water. 

The Program Plan has been developed to lay out the course of 
action for achieving the objectives of the LMFBR Program. The Plan 
consists of ten sections, each in a separate volume. Volume 1 pre- 
sents the Overall Plan. Each of the other nine volumes treats a 
specific area of the technology in depth by presenting: the objectives 
to be attained, an evaluation of the state of the art, and the tasks to 
be carried out to reach the objectives. This Overall Plan describes 
the scope of each of the nine sections, referred to as Program elements, 
and the relationships between them. " 



54 



APPENDIX B 



LMFBR PERFORMANCE REQUIREMENTS AND 
DATA WORD LENGTHS 

The following Performance Requirements and resultant binary 
word lengths required for data transmission were derived from 
Reference 3, p. 185-294. Binary word lengths include three extra 
bits for maintenance of accuracy: 

1. SENSORS FOR THE DETECTION OF NEUTRONS IN AND 
NEAR THE CORE 



Counter Sensitivity 


10" 5 -10“ 10 CPS/nv 


Current Sensitivity 


10~ 15 -10 _19 A/nv 


Neutron Flux 


10 n -10 16 nv 


Range 


2 or more decades 


BITS for Two Decades Range 
Arbitrary 1% Accuracy 


10 



2. SENSORS FOR THE DETECTION OF NEUTRONS OUT OF CORE 



Counter Sensitivity 


> 0. 7CPS/nv 


Current Sensitivity 


> 10 ^A/nv 


BITS for Two Decades Range 
Arbitrary 1% Accuracy 


10 
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3. 



TEMPERATURE SENSORS FOR GENERAL USE 



Range 


300-1400 F 


Accuracy 


+ 1% on line (+ lFtest) 


Transient Range 


to 2000 F 


Response Time 


unknown 


Thermal Shock 


max rate 100 F/sec 


BITS for 1 F in 2000 F 


14 



4. TEMPERATURE SENSORS FOR USE IN FUEL 

Work is in progress to discover a device that will survive the 
radiation environment. No specifications are set. 

5. SODIUM-FLOW SENSORS FOR USE ON FUEL ASSEMBLIES 



Accuracy 


+ 10% of full range 


Sensitivity 


1% of full range 


Time Constant 


1/2 second or less 


Expected Flow Rates 


150 gal/min to 600 gal/min 


BITS for 1% Sensitivity 


10 



6. SODIUM-FLOW SENSORS FOR USE IN PIPES 



Accuracy 


+ 5% of actual flow 




(above 10% flow) 


Dynamic Range 


10:1 to 100:1 


Flow Range 


0 to 120, 000 gal/min 


BITS for 5% Accuracy 


8 
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7. 



PRESSURE SENSORS FOR USE IN OR NEAR CORE 



Range: 0-15 PSI, absolute and gage pressure. 

0-20 in through 0-400 in water column, differential pressure. 



PURPOSE 


ACCURACY 


TIME CONSTANT 


Safety 


+ 3.0% 


<0.1 sec 




+ 10.0% dynamic 


< 0. 001 sec 


Plant Control 


+ 0.5% 


< 10. 0 sec 




+ 3. 0% 


<0.1 sec 


BITS for 0. 5% Accuracy 


11 



8. PRESSURE SENSORS FOR USE ON PIPES OR VESSELS 
Same as item 7. 



9. PRESSURE SENSORS FOR USE 
Range 

Drift 

Response time 

BITS for 0. 1% Accuracy 

10. SODIUM LEVEL SENSORS 



ON FUEL ELEMENTS 

0-300 through 0-3000 psi 
< 0. 1% full scale per week 
<2.0 min 
13 



Range 
Accuracy 
Response time 
BITS for 1 in/ 50 ft 



0- 1 ft. to 0-50 ft. 

+ 1/2 in. to + several in. 
1 sec to 10 sec 
13 
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11. STRAIN SENSORS FOR USE ON PLANT, CORE, AND FUEL 



COMPONENTS 








Microstrain Range 






+ 2000 Me 


Drift 






<2.0 Mel hr 


Gage Factor 






>1.5 


Linearity 




% 


unknown 


BITS for 2000 M e 






14 


+ 1 Me Arbitrary 
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APPcNDI X C 



COMPUTED MODEL DEMON STRATI ON CF THE DIGITAL PROGRAM MODULE 



THIS MODEL SIMULATES TH- PHYSICAL ACTION OF THE PROGRAM 
MODULE (FIG.l ). THE CONTENTS OF THE PROMS AR? SIMULATED BY 
THE SA M T TYPE '/ECTOR AS THE ACTUAL USE OF THE PRCM DEDICATED 
BIT; I.E., A LOGICAL USE IS REPRESENTED BY .A LOGICAL VECTOR., 
IN THF MODEL, THE SYNC INPUT IS ASSUMED r ON* AND ADDRESSES 
OF PPOM WORDS START AT *1* VICE 'O' BECAUSE ARRAYS CANNOT 
HAVE A 'O’ ADDRESS . 



1. DEFINITION OF TERMS USED 



PAR = DECIMAL STATE OF PROGRAM ADDRESS REGISTER., 

PHYSICALLY, IT IS A MODULO 256 BINARY COUNTER.. 
PAR ADDRESSES ROM-RP. 

RPA = A DECIMAL VECTOR REPRESENTING BITS 0-2 OR RR 
WORDS AND CONTAINING THE NUMBER OF TIMES 
THE SUBROUTINE IS TO BE REPEATED. 

RPB = A LOGICAL VECTOR REPRESENTING BIT 3 CF ROM-RP 

WORDS. *0' = START OF SUBROUTINE COINCIDES WITH 
A SYNC PULSE. 

RPC = A DECIMAL (0-1021 ) VECTOR REPRESENTING BITS 4-11 
OF RGM-RP WORDS AND TWO 'O’ LEAST SIGNIFICANT 
BITS. RPC IS TH~ START ADDRESS CF THE NEXT SUB- 
ROUTINE AND IS PROVIDED AS THE PARALLEL INPUT 
INTO. THE SUBROUTINE ADDRESS REGISTER - SAP., 

SAR = DECIMAL STATE OF SUBROUTINE ADDRESS REGISTER. 

PHYSICALLY, IT IS A MODULO 1024 BINARY COUNTER.. 
SAP ADDRESSES ROM-RS. 

R SA = A LOGICAL VECTOR REPRESENTING BIT 0 CF ROM-RS 

WORDS. PSA = 1 ONLY AT THE END OF A SUBROUTINE., 

P> SB = A LOGICAL VECTOR REPRESENTING BIT I CF ROM-RS 
WORDS RS6 = 1 ONLY AT THE START OF A SUB- 
ROUTINE. RS 5 = 1 CLOCKS PAR AND PCR. 

RSC = A CcCIMAL V£CTO D REPRESENTING BITS 2-(N+2) O c 

ROM-RS. THE MODEL CONTAINS THE ADDRESS OF TH/ T 
WORD. PHYSICALLY, N INDEPENDENT LOGICAL 
OPERATORS WOULD EXIST IN RSC. 

CET = COUNT ENABLE FOR SAR. 

PS = PARALLEL ENABLE FOR SAR (ACTIVE LOW). 

PARALLEL ENTRY = ( ( . NOT • PE ) . AND. CET ) . 

PCR = PROGRAM COUNT REGISTER - CONTROLS PCRB. 

PCP.B= COUNT ENABLE FOP FAR. 

CLOC K=10 MHZ DIGIT AL CLOCK INTO SAR. 

SYNC= SYNC INPUT FOR TH" START OF SUBROUTINES DESIG- 
NATED BY A 'O' ON RPB BUS. 
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2. FLOW DIAGRAM OF THE COMPUTER MODEL 




Figure 12. FLOW CHART FOR COMPUTER 
SIMULATION OF PROGRAM MODULE 



60 




3 



CONTENTS O p PROGRAM PROM, ADDRESS I 



I 


RPA 


RP 8 


RPC 


I 


RPA 


RPB 


RPC 


1 


1 


T 


17 


33 


7 


T 


10 21 


2 


1 


F 


5 


34 


7 


I 


10 Z1 


3 


0 


T 


21 


35 


7 


T 


10 21 


4 


0 


T 


5 


36 


7 


T 


1021 


5 


1 


F 


9 


37 


7 


T 


1021 


6 


7 


T 


1C21 


38 


7 


I 


10 21 


7 


7 


T 


1021 


39 


7 


T 


1021 


8 


7 


T 


1021 


40 


7 


T 


10 21 


9 


7 


T 


1021 


41 


7 


T 


1021 


10 


7 


T 


1021 


42 


7 


T 


10 Z1 


11 


7 


T 


1C 21 


43 


7 


T 


1021 


12 


7 


T 


1021 


44 


7 


T 


1021 


13 


7 


T 


1C 21 


45 


7 


T 


1021 


14 


7 


T 


1021 


46 


7 


T 


1021 


15 


7 


T 


1021 


47 


7 


I 


10 21 


16 


7 


T 


1021 


48 


7 


T 


1021 


17 


7 


T 


1C21 


49 


7 


T 


1021 


18 


7 


• T 


1021 


50 


7 


T 


1021 


19 


7 


T 


1021 


51 


7 


T 


10 21 


20 


7 


T 


10 21 


52 


7 


T 


1021 


21 


7 


T 


1C 21 


53 


7 


T 


1021 


22 


7 


T 


1021 


54 


7 


T 


10 21 


23 


7 


T 


1021 


55 


7 


T 


1021 


24 


7 


T 


1021 


56 


7 


T 


1021 


25 


7 


T 


1021 


57 


7 


T 


1021 


26 


7 


T 


1C21 


58 


7 


T 


1021 


27 


7 


T 


1021 


59 


7 


T 


10 21 


28 


7 


T 


1021 


6C 


7 


T 


1021 


29 


7 


T 


1021 


61 


7 


T 


1021 


30 


7 


T 


1021 


62 


7 


T 


1021 


31 


7 


T 


1021 


' 63 


7 


T 


1021 


32 


7 


T 


1021 


64 


7 


T 


1021 
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4. CONTENTS OF SUBROUTINE PROM, ADDRESS I 



I 


RS A 


RS B 


RS C 


I 


RSA 


R SB 


R SC 


1 


T 


F 


1 


33 


T 


T 


33 


2 


F 


F 


2 


34 


T 


T 


34 


3 


T 


F 


3 


35 


T 


T 


35 


4 


F 


F 


4 


36 


T 


T 


36 


5 


F 


T 


5 


37 


T 


T 


37 


6 


F 


F 


6 


38 


T 


T 


38 


7 


F 


F 


7 


39 


T 


T 


39 


8 


T 


F 


8 


40 


T 


T 


40 


9 


F 


T 


9 


41 


T 


T 


41 


10 


F 


F 


10 


42 


T 


T 


42 


11 


T 


F 


11 


43 


T 


T 


43 


12 


F 


c 


12 


44 


T 


T 


44 


13 


F 


T 


13 


45 


T 


T 


45 


14 


F 


F 


14 


46 


T 


T 


46 


15 


F 


F 


15 


47 


T 


T 


47 


16 


T 


F 


16 


48 


T 


T 


48 


17 


F 


T 


17 


49 


T 


T 


49 


18 


F 


. F 


18 


50 


T 


T 


50 


19 


T 


F 


19 


51 


T 


T 


51 


20 


F 


F 


20 


52 


T 


T 


52 


21 


F 


T 


21 


53 


T 


T 


53 


22 


F 


F 


22 


54 


T 


T 


54 


23 


F 


F 


23 


55 


T 


T 


55 


24 


T 


F 


24 


56 


T 


T 


56 


25 


F 


T 


25 


57 


T 


T 


57 


26 


F 


F 


26 


58 


T 


T 


58 


27 


T 


F 


27 


59 


T 


T 


59 


28 


F 


F 


28 


60 


T 


T 


60 


29 


p 


T 


29 


61 


T 


T 


61 


30 


F 


F 


30 


62 


T 


T 


62 


31 


F 


F 


31 


' 63 


T 


T 


63 


32 


T 


F 


32 


64 


T 


T 


64 
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5. RESULTANT ACTION OF PROGRAM MODULE 
CLOCK SAR CET PE RSA RSB 



RSC PCR PCRB PAR RPA RPB 



0 


1 


T 


1 


17 


T 


2 


18 


T 


3 


19 


T 


4 


17 


T 


5 


18 


T 


6 


19 


T 

SYNC 


7 


5 


T 


8 


6 


T 


9 


7 


T 


10 


8 


T 

SYNC 


11 


5 


T 


12 


6 


T 


13 


7 


T 


14 


8 


T 


15 


21 


T 


16 


22 


T 


17 


23 


T 


18 


24 


T 


19 


5 


T 


20 


6 


T 


21 


7 


T 


22 


8 


T 

SYNC 


23 


9 


T 


24 


10 


T 


25 


11 


T 

SYNC 


26 


9 


T 


27 


10 


T 


28 


11 


T 


29 


17 


T 


30 


18 


T 


31 


15 


T 


32 


17 


T 


33 


18 


T 


34 


19 


T 

SYNC 


35 


5 


T 



F 

T 

T 

F 

T 

T 

F 



T 

F 

F 

T 

F 

F 

T 



T 

T 

F 

T 

T 

T 

F 

T 

T 

T 

F 



F 

F 

T 

F 

F 

F 

T 

F 

F 

F 

T 



T 

F 

T 

T 

F 

T 

T 

F 



T 

F 

F 

T 

F 

F 

T 



F 

T 

F 

F 

T 

F 

F 



RE GUI RED 

TFT 
T F f 

T F f 

F T F 

REQUIRED 
TFT 



F 

F 

F 

T 

F 

F 

F 

T 

F 

F 

F 



REQUIRED 
TFT 
T F F 

F T F 

REQUIRED 
T F 
F 



1 

17 

18 
19 
17 
1 8 
19 



REQUIRED 

TFT 



5 

6 

7 

8 

21 

22 

23 

24 

5 

6 

7 

8 

9 

10 

11 

9 

10 

11 

17 

18 
1 9 

17 

18 
19 



1 

0 

0 

0 

15 

1 

1 



5 0 

6 0 

7 0 

8 0 



15 

0 

0 

C 

15 

0 

0 

0 

15 

1 

I 

1 

0 

0 

0 

15 

1 

1 

0 

0 

0 

15 

1 

1 



T 

F 

F 

F 

T 

T 

T 

SYNC 

F 

p 

c 

F 

SYNC 

T 

F 

p 

F 

T 

F 

F 

F 

T 

T 

T 

T 

SYNC 

F 

F 

F 

SYNC 

T 

T 

T 

F 

F 

F 

T 

T 

T 

SYNC 

F 



1 

1 

1 

1 

2 

2 

2 



1 

1 

1 

1 

1 

1 

1 



REQUIRED 
2 1 

2 1 

2 1 

2 1 

REQUIRED 
3 0 

3 0 



3 

3 

4 
4 
4 

4 

5 
5 
5 
5 



0 

0 

0 

0 

0 

0 

1 

1 

1 

1 



REQUIRED 
5 1 

5 1 

5 1 

REQUIRED 
1 1 



1 

1 

1 

1 

1 

2 

2 

2 



1 

1 

1 

1 

1 

1 

1 

1 



REQUIRED 
2 1 



T 

T 

T 

T 

F 

F 

F 

F 

F 

F 

F 

T 

T 

T 

T 

T 

T 

T 

T 

F 

F 

F 

F 

F 

P 

F 

T 

T 

T 

T 

T 

T 

F 

F 

F 



RPC 

17 

17 

17 

17 

5 

5 

5 

5 

5 

5 

5 

21 

21 

21 

21 

5 

5 

5 

5 

9 

9 

9 

9 



9 

9 

17 

17 

17 

17 

17 

17 

5 

5 

5 

5 
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MAIN SIMULATION PROGRAM 



C INITIALIZE VARIABLES 

CCMM0N/BLK1/RPA, RPe,RPC/ 6LK2/ RSA, RSB, RSC 
*/BLK3/PAR,SAR, D CR,CL0CK,M,CET,PF,SYNC.PCRB 
INTEGER PAR,SAR,RPA(256),RPC(256) ,RSC( 1024) .CLOCK. PCR 
LOGICAL PCR8 , RS B ( 1 02 A ) , RP B ( 2 56 ) , PS, CET , SYNC , RSA ( 10 24 ) 

READ IM INITIAL CONDITIONS (COMPLETE RESET) 

READ IN CONTENTS 0^ ARRAYS SIMULATING ROMS 
PRINT OUT ARRAYS SIMULATING ROMS 

CALL READ 

STATEMENT 5 PROVIDES A RETURN FOR ITERATION 
PRINT PAGE HEADINGS IF NECESSARY 
INCREMENT LIN: C GUNTER ( V) 

5 IF(M.LT.36) GO TO 9 
WRI TE ( 6 , 8 ) 

8 FORMAT( ' 1' » //// ,T16,'5. RESULTANT ACTION OF PROGRAM* 
*. ' MODULE' , // * T 1 6, 'CLOCK ' , T22, 'SAR ' , T26, 'CeT' , T31 , • P£ • 
* , T34 , ' P SA ' , T38 , ' RS 8 ' ,T43 » ' RS C' , T47, ' PCR ' , T52 , ' PCR B ' , 
*T57, 'PAR ' , T63, *RPA * ,T67, ' RPB * , T72 , ' RPC' , / ) 

M =0 

9 M=M+ 1 

PRINT CURRENT STATE AT END OF CLOCK PULSE 
DETERMINE NEED FCR SYNC AND START NEW CLOCK PULSE 
IF ITERATIONS ARE COMPLETED. GO TO 'STOP* 

WRITE (6 ,13) CLOCK ,S AR ,CST , PE, RS A ( S AR > , RS B (S AR ) , 

TRSC ( SAP ) .PCR. PCR B .PAR »RPA( PAR ), RPB (PAR) , RPC ( PAR) 

13 FORMAT ( 13X, 2 15, ALA, T6,T4,L5,I5,I5,L4,I6) 

IF (RSA ( SAR). AND. .NOT. RPB ( PAR) ) WRIT^ (6 ,16 ) 

16 FORMAT ( 24X, 2( 1 3HSYNC REQUIRED . 1 5X) ) 

IF (CLOCK. HQ. 200 )G0 TO 9999 
CLOCK=C LOCK + 1 

UPDATE SAR 

I F ( .NOT .CE T ) GO TO 21 
I p ( CET • AND. .NGT .PS ) SAR = RPC(PAR ) 

IF(CST.AND. P5 ) SAR = SAR+1 

21 I F ( SAR- 10 2 5 ) 23, 22,9000 

22 SAR = 1 

23 CONTINUE 

UPDATE SAR ENABLE GATES: PE-CST 

USING CURRENT CLOCK RS OUTPUT AND LAST CLOCK RP OUTPUT 

C5T=SYNC.0R. PP B ( PAR ) . OR. . NOT . RS A ( S AR ) 

PE = .NOT. (RSA ( SAR) . AND. ( SYNC. OR. RPB (PAR )) ) 

C UPDATE PAR, RESET PAR IF RPA(PAP.) = 7 

IF (PCRB.OR. .NOT .RSB ( SAR ) ) GO TO 32 
PAR=P AR+1 

I F ( PAR- 2 57 ) 32,31,9031 

31 PAR = 1 

32 IF (RPA( PAR) .EQ. 7) PAR=1 
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C UPDATE PCR AND PCRB 

IF(,NOT.RSB(SAR) ) GO TO 44 
PCR = PCR - 1 

40 IP(PCR) 41,42,43 

41 PCR = 15 
GO TO 43 

42 PCRB=. FALSE. 

GO TO 5 

43 PCRB=.TRUS. 

GO TO 5 

44 IF (PCR-15) 40,45,9002 

45 PCR = RPA(PAR) 

GO TO 40 

C ERROR MESSAGES 

9000 WRITF (6, 9500) 

9500 FORMAT ( 10X , 35 HSU BROUT INS ADDRESS REGISTER OVERRUN) 
GO TO 9999 

9001 WRITE (6 ,9501 ) 

9501 FORMAT! 10X , 32H PROG RAM ADDRESS REGISTER OVERRUN) 

GO TO 9999 

9002 WRI T5 (6 ,9502) 

9502 FORMAT! 10X, 32HPROGRAM CONTROL REGISTER OVERRUN) 

9999 STOP 
END 



7. BLOCK DATA INPUT 



BLOCK DATA 

COMMON/B LK1 / RPA ,RP3,RPC/8LK2/RSA,RS8,RSC 
*/BLK3/PAR,SAR,PCR, CLOCK, M,CST, PE. SYNC , PCRB 
INTEGER D A° ,SA R , RP A <2 5 6 ) , RPC (256 ) , RSC! 10 24 ), CLOCK, PCR 
LOGICAL PCRB, RSB ( 1024) ,RPB(256), Fr ,CST , SYNC ,RSA ( 10 24 ) 
DATA RPA/256 2 '7/,RPB/2 5 6 .TRUE ./, PPC/256*" 1021/ ,RSA/ 
#1024-. TRUE. /, RSB/1 024*. TRUE. /, PCRB/. TRUE. / 

DATA PAR/ 1/, SAR/ 1/,PCR/ l/,CL0CK/G/,M/36/ 

DATA CET /.TRUE . /, PS/ . FALSE./ , SYNC/. TRUE./ 

END 
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SUBROUTINE 'READ* 



SUBROUTINE READ 



C 

c 

c. 



READ IN INITIAL CONDITIONS 

READ IN CONTENTS OF ARRAYS SIMULATING ROMS 
PRINT OUT ARRAYS SIMULATING ROMS 



COMMON/ 8LK1/RPA, RPB,RPC/ BLK2/RSA ,RS8,RSC 
/BLK 3/° AR, SaR,°CR, CLOCK, M,C C T, PE, SYNC, P CRB 
INTEGER PAR, SAP , RPi ( 256) , RFC ( 256) ,RSC ( LC24) , CLOCK ,. tr CR 
LOGICAL PCRB , RSB ( 10 24 ) , RPB ( 2 56 ) , Pi, CET, SYNC,RSA< L024) 



READ (5, 108) (RPA( I) ,RP6{I) ,RPC(I) ,1=1 1 5) 

108 FORMAT ( 8 ( I 2 , L 2 , 16) ) 

READ (5 ,109 ) <RSA( I ) ,RSB(I ),RSC(I), 1=1,32) 

109 FORMA T ( 8( 2L2,I 6) ) 

DO 110 T =1,1024 

110 RSCU ) =1 

C PRINT OUT ARRAYS FOR ROM-RP 

N=0 

L=0 

DO 150 1=1,128 
I c ( N ) 143,143,145 

143 WRITE (6, 144) 

144 FORMAT <• 1 • ,//// ,15X,'3. CONTENTS OF PROGRAM FROM* , 
* » , ADDRE SS I', 

24X , 2 ( ' I ' , 3X , 'RPA • . IX, 'R D B * , 2X, *RPC * ,11 X) ,/) 

145 L=L+1 
NN=L+32 
N= N + 1 

WRITE (6, 146 ) L,RFA(L),RPB(L),RPC(L), • 

*NN,RPA( NN) ,R PB (NN) ,RPC ( NN) 

146 FORMAT ( T23, 2( 214, L4, I 6, 9X>, /) 

IF (N.SQ.32 ) L = L+32 

I F ( N . 5 0 . 3 2 ) N =0 
150 CONTINUE 

C PRINT OUT ARRAYS FOR RQM-RS 

N=0 
L =0 

DO 160 1=1,512 
I p (N ) 153, 153,155 

153 WRITE (6 ,1 54 ) 

154 FORMAT! ' 1' ,//// ,15X,'4. CONTENTS OF SUBROUTINE",. 
«• PROM, ADDRESS I',/ 

^//,24X,2 ( ' ! • ,3X, *RSA' , IX, • RS B* ,2X, *RSC* , I1X ) , / ) 

155 L=L+1 
NN=L+32 
N = N+ 1 

WRITE! 6, 156)L , R SA( L ) ,P. SB ( L ) »RSC ( LI , 

*NN,RSA(NN) ,RSB (NM),RSC(NN ) 

156 FORMAT ( T23, 2 ( I 4 ,2L4 , 16 ,9X) ,/) 

IF (N. 50. 32 ) L = L +32 

IF (N.E0.32 ) N=0 
160 CONTINUE 



C 



READ IN ARRAYS FOR ROMS-RS AND RP 



END 
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